Pin GitHub Actions to specific versions

[marek-saji]

Why?

When using GitHub actions, you use git references. These can be commit SHAs,
branch names, or tags. For majority of actions we used branch names with major
version only and for chromaui/action we used latest tag, which meant they
could change without us realising it.

What?

Update all references to point to git tags, which hopefully will not change.

We do have dependabot configured to check for updates, so we will update them.

[coderabbitai]

📝 Walkthrough

Summary by CodeRabbit

• Chores
  • Pinned CI/CD action versions across multiple workflows for more stable, reproducible runs.
  • Updated Slack notification integration to a newer action; authentication and message payload were adjusted.
  • Added a manual "Test notify" workflow to trigger and validate Slack notifications.

Walkthrough

Pinned multiple GitHub Action versions across workflows, added a workflow to manually test the Slack notifier, and changed notify-status/action.yaml to use slackapi/slack-github-action@v2.1.1 with payload-based channel, explicit method: chat.postMessage, and token input.

Changes

Cohort / File(s)	Summary
Workflows — version pin updates \.github/workflows/chromatic.yaml, \.github/workflows/ci.yaml, \.github/workflows/create-release.yaml, \.github/workflows/deploy-cloudfunction.yaml, \.github/workflows/deploy-cloudrun.yaml, \.github/workflows/docker-build-push.yaml	Bumped pinned versions for multiple third‑party GitHub Actions (examples: chromaui/action@v13.3.5, actions/checkout@v6.0.2, google-github-actions/*@v3.*, Docker/QEMU/Buildx actions). No control-flow or input changes.
Action metadata / Slack integration notify-status/action.yaml	Switched to slackapi/slack-github-action@v2.1.1; replaced legacy channel-id usage with payload including "channel": "${{ inputs.slack-channel-id }}", added method: chat.postMessage and with.token. Authentication/input shape changed accordingly.
Action metadata — setup setup/action.yaml	Updated pinned actions used by this action (e.g., actions/checkout@v6.0.2, actions/setup-node@v6.2.0, cache v5.0.3). No behavior changes.
New test workflow \.github/workflows/test-notify-status.yaml	Added workflow_dispatch workflow to test notify-status; accepts channel_id and invokes ./notify-status with secrets/inputs (status, token, channel, text).

Sequence Diagram(s)

sequenceDiagram
    participant Runner as Runner
    participant Notify as notify-status action
    participant Slack as Slack API
    Runner->>Notify: invoke action (status, slack-channel-id, text, token)
    Notify->>Slack: POST chat.postMessage with payload { "channel": inputs.slack-channel-id, "text": ... }
    Slack-->>Notify: 200 OK / message metadata
    Notify-->>Runner: step success / outputs

Loading

Estimated code review effort

🎯 3 (Moderate) | ⏱️ ~20 minutes

Possibly related PRs

• chore: Update third party actions #24 — Overlapping updates to workflow action version pins (touches CI/setup workflows).
• feat: add cloudrun deploy job #29 — Related edits to .github/workflows/deploy-cloudrun.yaml.
• feat: create-release #25 — Related changes around the create-release workflow and action pins.

Suggested reviewers

• smelchior
• erolci

Poem

🐰 I hopped through YAML fields so bright,

Pins aligned and versions tight.
I nudged the payload, passed the token true,
A message flew — a tiny woohoo.
🥕 Pipelines hum; I nibble code tonight.

🚥 Pre-merge checks | ✅ 3

✅ Passed checks (3 passed)

Check name	Status	Explanation
Title check	✅ Passed	The title 'Pin GitHub Actions to specific versions' accurately and clearly summarizes the main change: updating GitHub Actions references from mutable versions to specific pinned versions.
Description check	✅ Passed	The description clearly explains the rationale (mutable references can change unexpectedly) and what was changed (updating to git tags/semantic versions), directly relating to the changeset.
Docstring Coverage	✅ Passed	No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing touches

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Post copyable unit tests in a comment
• Commit unit tests in branch feat/feat-action-versions

---

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[coderabbitai]

Actionable comments posted: 3

🤖 Fix all issues with AI agents

In @.github/workflows/ci.yaml:
- Around line 253-256: The workflow step using actions/github-script@v8.0.0
(step name "Check if we need to install browsers", id: browsers) requires
runners with Node 24 (minimum GitHub Actions runner v2.327.1); verify your CI
runners meet that minimum or change the action version to a Node 20-compatible
release (e.g., v7.x) before merging, and run CI locally or in a sandbox to test
Node 24 compatibility for your scripts and dependencies so no runtime breakages
occur.

In @.github/workflows/deploy-cloudfunction.yaml:
- Around line 51-61: The workflow uses
google-github-actions/deploy-cloud-functions@v4.0.0 and
google-github-actions/auth@v3.0.0 which require Node 24+ and only support Cloud
Functions Gen 2 and no longer accept env vars from a file; update the workflow
to (1) ensure the runner environment is Node 24+ (or switch to a runner that
supports Node 24) so auth@v3.0.0 and deploy-cloud-functions@v4.0.0 run
correctly, (2) confirm the deploy step is configured to target Cloud Functions
Gen 2 (use the deploy action's Gen2-specific input or flag in
deploy-cloud-functions), and (3) stop relying on the removed "env vars from
file" feature and instead load and pass environment variables via the deploy
action’s environment_variables input (or set them in a prior step) so the Gen2
deployment receives required env vars.

In @.github/workflows/deploy-cloudrun.yaml:
- Around line 52-64: The workflow pins google-github-actions/auth@v3.0.0 which
requires Node.js 24 on the runner; update the workflow to either pin a version
that uses Node.js 20 or constrain the job to run only on GitHub-hosted runners
(e.g., specify runs-on with a hosted label) and/or document the Node.js 24
requirement; confirm the inputs service_account and workload_identity_provider
remain unchanged for the chosen action version (referencing
google-github-actions/auth@v3.0.0, actions/checkout@v6.0.2, and
google-github-actions/setup-gcloud@v3.0.1) and adjust the action tag or runner
selection accordingly so self-hosted runners without Node 24 do not attempt to
run this job.

[coderabbitai]

Actionable comments posted: 2

🤖 Fix all issues with AI agents

In @.github/workflows/ci.yaml:
- Line 98: The action version string for the ESLint annotate step currently uses
"ataylorme/eslint-annotate-action@3.0.0" which is inconsistent with the repo's
other action tags; update the version reference to include the "v" prefix (use
"ataylorme/eslint-annotate-action@v3.0.0") so it matches the format used
elsewhere and keeps tag style consistent across CI actions.

In `@notify-status/action.yaml`:
- Line 41: The Slack action usage of slackapi/slack-github-action@v2.1.1 uses
v1-style inputs and env var; update the action's with: block to pass token as an
explicit input (token: ${{ inputs.slack-bot-token }}), add method:
chat.postMessage, and replace channel-id by embedding the channel inside a JSON
payload (payload: { "channel": ${{ inputs.slack-channel-id }}, "text": ... })
instead of using channel-id input; also remove the SLACK_BOT_TOKEN environment
variable from the step.

[coderabbitai]

Actionable comments posted: 1

🤖 Fix all issues with AI agents

In @.github/workflows/test-notify-status.yaml:
- Around line 14-16: The workflow step "Send test Slack notification" uses a
local action via uses: ./notify-status but there is no checkout step, so the
repository files (and the notify-status action) won't be available; add a step
that runs actions/checkout@v4 (or appropriate actions/checkout version)
immediately before the "Send test Slack notification" step so the local action
directory exists when referenced.